This is a blog about the future of digital media law from Laurence Kaye. Laurence runs Laurence Kaye Consulting Limited (click here), bringing insight an clarity to the complexities of the digital world.

June 07, 2011

My colleague Sherif Malak has been munching his way through the subject of cookies. We hope you'll find this helpful!

If you’ve sorted through the flurry of guidance and commentary thrown up over the last couple of weeks concerning the UK’s implementation of the changes to the e-Privacy Directive, you would be forgiven for feeling slightly bewildered. As a certain fuzzy blue Sesame Street character might say, “it’s all about the cookie.” The exact type being a small file that is sent to and stored on a user’s terminal (normally through their internet browser) when they access a website. The information in the cookie can then later be read by the website server.

These online cookies, like their culinary counterparts, come in a variety of flavours – temporary, persistent, third party - and carry out a variety of different functions – verification, authentication, analytics, behavioural tracking. The new rules apply to all of them and the UK’s implementation of the amendments to the EU e-Privacy directive, which recently came into effect on 26 May 2011, has already been met with a great deal of controversy. So what are the new rules, why such controversy and where do website providers stand in light of them?

The new rules change the previous ‘informed opt-out’ arrangement to an ‘informed opt-in’ regime i.e. except for cookies that are “strictly necessary” for the service requested by a user, web site providers must obtain users’ consent whenever they wish to store or access cookies on their machines.

But what is consent? The operative provisions are quite ambiguous, in part because the European Parliament, only managed to get wording that consent was neither ‘explicit’ nor ‘prior consent’ into the recitals and not the operative provisions of the Directive. The situation wasn’t helped by the Article 29 Working Party’s view advocating prior, specific, informed opt-in based consent.

In its implementation, the UK Government has included part of the recitals to the Directive, the infamous ‘Recital 66’, in the operative provisions of the implementing Regulations which, under 3A state that “consent may be signified by a subscriber who amends or sets controls on the internet browser.” But hopes that website providers could rely on users’ browser preferences were dashed when DCMS announced in its April open letter that current browser settings would be unlikely to be sufficient to provide consent as things stand. Whilst the Government will be looking to work with browser manufacturers in the near future to improve their privacy settings so that providers can rely on such settings, in the meantime consent has to be sought in some other manner. The DCMS made clear however, that where consent for cookies is concerned, the Directive does not use the word ‘prior’ did not “preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing.”

So where does that leave things? Cue the ICO with new guidance and on the eve before the Regulations take effect, the somewhat inelegant implementation of the rules for its own website leaving website developers shivering at the thought of having to use pop up consent boxes that ominously state “One of the cookies we use is essential for parts of the site to operate and has already been set.”

I won’t go through the ICO guidance here as it is clearly written, however it does leave many questions unanswered, including what providers should do where third party cookies are concerned. And what of cookies originally set as a first party cookie but subsequently read in a third party context? Cookies that are highly privacy intrusive cookies are likely to need prior consent but what exactly is needed for cookies that aren’t strictly necessary but are not privacy intrusive? Where prior consent may not be needed, is prominent notice enough?

Despite this ambiguity , I don’t think all this should be too much cause for concern at the moment. The ICO has made clear that it will provide organisations with a grace period of 1 year to comply with the new rules. Although they must show that they are “taking steps” to comply, the aesthetically displeasing ICO implementation surely indicates that the solution to obtaining consent for cookies is one that lies with the underlying browsing technology, whether that be “browsers” as we know them today or the soon to be commonplace ‘in-App’ browsing functionality on smartphones. Older browsers might require a separate approach but as web developers adopt new technology, such as HTML5, such exceptions will become far less of a problem. Indeed, Google has already announced that it will phasing out support for older browsers from 1 August.

Although what the new rules require may still be a little grey, one thing is quite clear: software developers are now on notice – technology is a clear favourite to this legal ‘problem’. Cookie settings must be built into code and in anticipation of clear demand for such features, there’s no reason why this new breed of software won’t be with us by the time the ICO grace period expires.

May 22, 2009

My colleague, Yasmin Joomraty, attended a very interesting forum on 'Behavioural Targeting, Social Networking and the Challenges of Online Privacy' earlier this week. We were discussing her views and I asked her to blog about them so here follow her personal reflections on profiling, targeting and behavioural advertising...

(Yasmin writes) "I returned to my desk today to write up my take on the issues discussed at the Westminster eForum. At the forum, the Assistant Information Commissioner had mentioned the 'Personal Information Promise' on the ICO website to which companies can sign up. I Googled it to find out more. As soon as I had keyed "personal info" into the search bar, top of the list of Google's suggested search terms for my search was - you guessed it - "Personal Information Promise". In light of the comments the delegate from Phorm had made regarding search engines profiling and targeting users in more ways than Phorm would ever wish to, I chuckled to myself at this timely demonstration.

I then went to look up "privacy enhancing technologies" and, again, no sooner had I typed "privacy e" but Google had guessed what I was looking for. Handy, yes. But a little disconcerting in light of the 'challenges for online privacy' I was contemplating.

"Google uses cookies and other technologies to enhance your online experience and to learn about how you use Google services in order to improve the quality of our services."

and

"Google’s servers automatically record information when you visit our website or use some of our products, including the URL, IP address, browser type and language, and the date and time of your request."

So that explains the customised search suggestions. Google knows my IP address and has tracked my online behaviour in order to provide me with this service - which, incidentally, I do not remember signing up for. This raises 3 questions for me:

What constitutes personal data? An IP address has been held to be personal data. So Google has obligations under the DPA here.

Does it matter whether information about me constitutes personal data or not? As technologies evolve and trackers can find out more about me, should the obligations under the DPA stop at personal data? Do I have a valid objection to companies building up a profile of me which, although it does not constitute personal data, consists only of numbers and codes, and is never even read by a human but simply passes through a 'black box' (as the Phorm delegate called it), but which nevertheless corresponds to me and my habits, some of which may be private? As society understands the new technologies better, there is scope for data about my behaviour finding its way to third parties and even saying private things about me to others? For example, if a friend uses my laptop and notices that the suggested search terms and targeted ads are geared towards Botox, this may reveal something about me that is private and if not constitutes then relates to personal data.

Have I consented? I would describe myself as protective over my online presence and reluctant to receive marketing communications - I tend to search for opt-outs and actively select my preferences. The notion of informed consent is often debated but it seems to me that if I find it difficult to ascertain what Google is doing with my information and how to opt out of the same, then how will the 'reasonable man' who is not actively looking or notified?

More worryingly, another point in Google's Privacy Overview is:

"Google collects personal information when you register for a Google service or otherwise voluntarily provide such information. We may combine personal information collected from you with information from other Google services or third parties to provide a better user experience, including customizing content for you."

Does this include/anticipate collaboration with Phorm-like behavioural trackers?

As new technologies and social attitudes merge to cause the shift in media, publishing and entertainment from a 'one to many' broadcast to the two way dialogue of 'many to many' communication, so advertising is reaching its holy grail of targeting specific individuals with relevant messages.

An individual's online presence makes him part of the online world (consumer, broadcaster, commentator, buyer, seller, MMORPG player all in one) in a way that he never was before TV remotes had red buttons. The fact that that individual has an online presence exposes him to risks which do not apply in the offline world. These risks mostly centre on that individual's data - the type he chooses to share and the type he does not know he is sharing.

However, advertising has rich benefits and should not be unduly stifled. It is the driver for online growth and funds much of our virtual activities. It offers choice to consumers and can entertain, inform and empower.

January 21, 2008

I've just finished watching a webcast of a European Parliament Hearing on 'Data protection on the internet, (Google-Doubleclick and other case studies)'. "Rather you than me", you might say. Not at all. It's a really interesting hearing of the Committee on Civil Liberties, Justice and Home Affairs, following Google's acquisition of Doubleclick.

One of the contributors to the Hearing, from the Office of the Dutch Data Protection Regulator, made some very clear statements which are worth recording because they re-state some central issues relating to data protection and the internet.

IP addresses are definitely "personal data" and so within the scope of data protection rules. Although this is a view already held by many commentators, others often dispute it. The Dutch Regulator's representative gave one particularly good reason in support of this interpretation: IP addresses are used to discriminate between what content (e.g. advertisers) is served to users in different geographical locations based on their IP addresses.

The European Privacy Directive applies to every global search engine in the world which serves European citizens. So arguments about whether the EU has jurisdiction over, say, US-based search engines - can you think if any?! - can be confidently dismissed. The only exception is in respect of some limited, local language search engines focused on a national market e.g. a Japanese search engine that specifically caters for the Japanese market in Japanese that is only occasionally visited by EU citizens.

On transparency: search engines should inform their users up front in a transparent way about the purposes of their data processing. In particular, it was stressed that where users use several services from one company, it should be made very clear how profile data are combined (or not) across these services.

The right of citizens to access their data and to correct them is a crucial principle in the Privacy Directive.

Her three conclusions were:-

Trust is key; compliance with the Privacy Directive is a route to building trust with users, who place increasing value on their personal information.

The Privacy Directive provides an adequate framework to regulate the processing of personal data all search engines.

National Data Protection Authorities must have adequate enforcement powers.

December 10, 2007

It's not everyday that I get a piece published in the Guardian, so you might like to check out my 'Comment' piece on social network sites and privacy, published today by the Guardian in a guide on Digital media law and available online here.

The piece focuses on Facebook. It's interesting that, following an avalanche of complaints, Facebook have now changed 'Beacon', its new Social Ads platform, to allow users to opt-in to sharing information gathered on third party sites (e.g. eBay) with their friends on Facebook. It shows that the trend from opt-out to opt-in, even where it isn't mandated by law, is growing.

November 21, 2007

Well, HM Revenue & Customs have certainly proved the point in my last blog about privacy moving up the consumer agenda by mislaying two discs, with personal and financial details of 25 million people, going missing in the post.

Is the 'tipping point', at least for the UK, which will make organisations really take data protection law seriously? I think it is. Of course, there are plenty of reputable companies who already do. But why does it take something as mindboggling as HMRC's recent action to shake up the public and private sector alike? I suggest three reasons:

Arcane nature of data protection law and terminology: Terms such as "Data Controller", "Data Subject", "Structured Filing Systems" and even the term "data protection"make the subject sound technical and more concerned with the protection of the data itself rather than that of citizen's privacy. The language of the law needs to be simplified and demystified.

Lack of teeth: Penalties for non-compliance are derisory and the Information Commissioner lacks a number of key enforcement powers, including the right to enter premises to inspect where serious breaches are suspected.

The value of information: For many online businesses, its customer database is one of its most valuable assets. In co-branding deals, joint ventures and other online deals, the contractswill talk about ownership of that data and the parties' rights to use it. So there is an inherent tension between the ownership and exploitable value of customer data on the one hand and the privacy rights of those customerd on the other. This is not an irreconcilable conflict. It can - and should - be dealt with contractually, through privacy policies and proper data protection compliance policies.

The HMRC debacle is a timely reminder about the core principles on which data protection compliance is built. It's not just a matter of writing a well-drafted Privacy Policy. It's more about having the right technical and organisational processes in place to manage the risks associated with handling personal information.

Whilst on the subject of privacy, one of my reader's has just raised an interesting point arising from my October 26th post about the Sheffield Wednesday case and the circumstances in which a Judge will order an ISP or other host to disclose the identity of its users where, for example, someone wants to sue for an allegedly defamatory statement posted by a user. My reader pointed out the Judge's comment that "I take into account also that the Defendant does not appear to have had any policy of confidentiality for the benefit of his users" and asks whether including such a provision in the terms and conditions for the Forum might have made the Judge decide not to order disclosure. Hhhm. Interesting point. Well, it seems to me that the inclusion of such a provision - which is not uncommon - would help the host to argue against the demand for disclosure but personally I don't think it would provide guaranteed immunity from disclosure. Just a personal view though, and definitely not formal advice.

Laurence Kaye

ps Happy Thanksgiving for our US readers!

pps If the disaster which has befallen HMRC has prompted you into thinking about a data protection audit, please let me know. We'd be pleased to help.